View Full Version : Browsers under attack
Rogue Chrome browser extensions ...
March 26, 2012 - "Cybercriminals are uploading malicious Chrome browser extensions to the official Chrome Web Store and use them to hijack Facebook accounts, according to security researchers from Kaspersky Lab*. The rogue extensions are advertised on Facebook by scammers and claim to allow changing the color of profile pages, tracking profile visitors or even removing social media viruses... Once installed in the browser, these extensions give attackers complete control over the victim's Facebook account and can be used to spam their friends or to Like pages without authorization. In one case, a rogue extension masqueraded as Adobe Flash Player and was hosted on the official Chrome Web Store... By the time it was identified, it had already been installed by 923 users... Few users are aware that browser extensions can intercept everything they do through the browser. Security compromises based on rogue browser extensions are also more persistent than those based on password theft or other methods, because these extensions can piggyback on active sessions to perform unauthorized actions even if the account owners change their passwords or enable two-factor authentication..."
Browser SSL trouble
Last Updated: 2012-09-13 - "... new tool called "CRIME" at the upcoming Ekoparty 2012 conference in 5 days. Their tool takes advantage of a flaw in the SPDY (speedy) TLS compression protocol implementation. It allows an attacker to hijack an encrypted SSL session. It appears that for this attack to work both the website and the browser must support the SPDY protocol. Several widely used websites such as Google, Gmail and Twitter do support the SPDY protocol. Both the Firefox and Chrome browsers also support this protocol. Internet Explorer and Safari does not support SPDY and are not vulnerable. It is recommended that you disable the use of the SPDY protocol on your HTTPS websites until the problem is addressed.
"To disable SPDY support in Firefox 13 or later (previous versions have it disabled by default), edit the chrome settings:
network.http.spdy.enabled = false
network.http.spdy.enabledv2 = false (present in FF 15)"
(via "about:config" w/o the quotes)
MS12-063 released (KB2744842):
Sep 21, 2012
V2.0 (Sep 21, 2012): Advisory updated to reflect publication of security bulletin.
IE 0-day in-the-wild...
Last Update: 2012-09-18
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x, 7.x, 8.x, 9.x
... vulnerability is caused due to a use-after-free error when handling "<img>" arrays and can be exploited via a specially crafted web page. Successful exploitation allows execution of arbitrary code... currently being actively exploited. The vulnerability is reported on a fully patched Windows XP SP3. Other versions may also be affected...
... Reported as a 0-day.
"... potential Microsoft Internet Explorer 7 and 8 zero-day... exploited in the wild... This file is recognized as a HTML file*..."
File name: F4537FE00E40B5BC01D9826DC3E0C2E8.dat
Detection ratio: 15/42
Analysis date: 2012-09-18 10:50:06 UTC
18 Sep 2012 - "... The Rapid7 team got right on it and created a module exploiting the vulnerability for the Metasploit exploit toolkit during the weekend, and advised IE users to switch to other browsers such as Chrome or Firefox until Microsoft patches the flaw security update becomes available. Microsoft has reacted fast by issuing a security advisory yesterday, in which it confirms the existence of the flaw in Internet explorer 9 and all previous versions (IE10 is not affected), and offers instructions on steps the users can take to mitigate - but not yet remove - the threat:
• Deploy the Enhanced Mitigation Experience Toolkit (EMET) and configure it for Internet Explorer
• Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.
These steps could bring additional problems to the users, such as being bombarded by a slew of security warnings, so until Microsoft releases a definitive patch for the hole, maybe it would be easier for IE users to take Rapid7's advice and switch to another browser for the time being."
18 Sep 2012 - "... It remains to be seen whether patching the vulnerability will have to wait for the next scheduled Patch Tuesday in October or whether an unscheduled patch will be released..."
Last Updated: 2012-09-17 - "... there is code in-the-wild that exploits this (since Sept14th)... there is no patch for it yet. If you're still running IE7, 8 or 9, today is a good day to think about switching browsers for a couple of weeks... (this zero day affects not just IE8, but also IE7 and IE9)..."
Sep 17, 2012 - "... The payload dropped is Poison Ivy...
File name: a01dee0fdb5a752afea044c4e4fe4534ef5a23f6
Detection ratio: 25/42
Analysis date: 2012-09-18 06:19:29 UTC
The C&C server configured is ie.aq1 .co.uk that is currently resolving to 22.214.171.124 ...
We’ve also seen that the domain used in the previous attacks hello.icon .pk is also pointing to the new IP address. Once executed, the payload creates the file C:\WINDOWS\system32\mspmsnsv.dll and the service WmdmPmSN is configured and started..."
17 Sep 2012 - "... the remote administration tool (RAT) Poison Ivy is currently being distributed in this way in order to give the attackers complete access to the infected system. Users running Internet Explorer can play it safe by switching to another web browser..."
17 Sep 2012 - "... this exploit was hosted on the same servers used in the Nitro attack*..."
Pg. 4 - PDF file: "... the threat used to compromise the targeted networks is Poison Ivy, a Remote Access Tool (RAT)... It comes fully loaded with a number of plug-ins to give an attacker complete control of the compromised computer..."
Sep 17, 2012 - "... get compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current user. Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available. The exploit had already been used by malicious attackers in the wild before it was published in Metasploit..."
Vulnerable browsers (out-of-date) put users at risk
Many users are waiting a month or more to apply important security updates that can protect them from exploits and malware.
Nov 9, 2012 - "According to the results of a new survey from security software vendor Kaspersky*, nearly a quarter of the browsers currently in use are out of date. Surfing the Web with a vulnerable browser is a recipe for disaster. The Web browser has evolved to become the primary software used on many PCs. People access their email, surf websites, create documents and spreadsheets, access cloud-based file storage and sharing sites, and share with others on social networking sites - all through the browser. Attackers know this as well, which is why it is exceptionally risky to use a browser with known vulnerabilities... researchers analyzed the browser usage data from millions of customers around the world, and uncovered some concerning trends.
- 23% of browsers are not current: 14.5% are still using the previous version, while 8.5% are using even older, obsolete versions.
- When a new version of a browser is released, it can take nearly 10 days for it to surpass the previous version in usage, and an average of about a month for a majority of users to upgrade.
... With the holiday shopping season getting ready to kick off, millions of users will be researching gift ideas, and making holiday gift purchases online. Attackers have marked their calendars as well, and there will almost certainly be a spike in Web-based attacks. It's even more important during the holiday season to make sure you keep your browser, and your security software up to date."
Browsers hacked at Pwn2Own...
8 March 2013 - "The Pwn2Own competition at CanSecWest has come to an end with the second day being like the first day. No web browser plugin survived being attacked and Adobe Flash, Adobe Reader XI and Java were all successfully hacked. Vupen security, who had demonstrated exploits of Internet Explorer 10*, Firefox** and Java on day one, returned with an exploit for Adobe Flash... In response to day one's exploits, both Mozilla and Google*** have shipped updates to their browsers. Mozilla's Firefox has been updated to version 19.0.2 with a fix for the vulnerability; the same fix, for a use-after-free in the HTML editor which could lead to arbitrary code execution..."
March 12, 2013 - Critical - IE 6, 7, 8, 9, 10
Fixed in Firefox 19.0.2
Fixed in v25.0.1364.160